Re: [Policy] identifying APIs from John Kemp on 2009-10-06 (public-device-apis@w3.org from October 2009)

From: John Kemp <john@jkemp.net>
Date: Tue, 06 Oct 2009 13:58:40 -0400
To: Frederick Hirsch <frederick.hirsch@nokia.com>
CC: W3C Device APIs and Policy WG <public-device-apis@w3.org>
Message-ID: <4ACB8550.7080807@jkemp.net>

Hi Frederick,

Frederick Hirsch wrote:
> Earlier I listed some of the higher level requirements and goals to 
> consider for DAP API Policy [1]. One of these was:
> "10. Able to identify an API by URI"
> I should note that URI need not be the only approach, though my 
> inclination was to start with URI.
> 
> An example of the first approach, using a URI, is BONDI 1.01 which 
> defines IRIs for the various APIs (section 4.2 BONDI architecture and 
> security [2]).
> 
> A second approach is to use class names, as Marcin noted in the Access 
> workshop position paper [3]  - APIs could be identified by Javascript 
> class name and optional property attribute (see the table in 3.3).
> 
> A third approach is to not name APIs at all, but pass material in the 
> API invocation to enable use, passing a capability. But for an 
> enforcement engine to evaluate declarative policy it  would still need 
> to be able to name APIs, I would think.
> 
> This raises a couple of questions: is the DAP API work restricted solely 
> to Javascript or should the model support other languages (degree of 
> language independence needed), and does declarative policy require the 
> ability to name an API (regardless of whether feature access control is 
> included).
> 
> It seems to me we need naming and that URIs offer more flexibility. Is 
> this a decision easily made, or is discussion required?

+1 to using URIs to name APIs. As I suggested in an early draft document 
I presented to the TAG a couple of weeks ago [API], I think an API can 
be thought of as a (set of) resource(s), which have representations.

If you were to expose the same APIs via a device-hosted HTTP server, 
what would the URIs look like? Could a URI identify the same resource, 
regardless of whether that resource is accessed as a Javascript function 
call or via an HTTP access?

Cheers,

- johnk

[API] http://www.w3.org/2001/tag/2009/09/apis-on-the-web.html 
(member-restricted, I believe)

> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> 
> [1] 
> http://lists.w3.org/Archives/Public/public-device-apis/2009Sep/0126.html
> 
> [2] 
> http://bondi.omtp.org/1.01/security/BONDI_Architecture_and_Security_v1_01.pdf 
> 
> 
> [3] 
> http://www.w3.org/2008/security-ws/papers/ACCESSPositionPaper_W3CSecurityWorkshop.pdf 
> 
> 
>

Received on Tuesday, 6 October 2009 17:59:08 UTC